This document provides three sample configurations for the Catalyst
2948G-L3. The configurations are a single-VLAN network, a multi-VLAN network,
and a multi-VLAN distribution layer connection to a network core. Each
configuration section contains an example topology and explains the creation of
the example networks. Additionally, a
companion
document is available that provides each configuration in its entirety
for your review.

The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.

From a configuration standpoint, the Catalyst 2948G-L3 is a router
that runs Cisco IOS, and all interfaces are routed interfaces by default.

The Catalyst 2948G-L3 does not extend your VLANs. Rather, this
switch-router terminates VLANs on a routed interface unless bridging is
configured. Bridging interfaces allows you to extend VLANs on the routed
interfaces.

The Catalyst 2948G-L3 does not support several Layer 2-oriented
protocols, such as VTP, DTP, and PAgP, found on other Catalyst
switches.

Release 12.0(7)W5(15d) and earlier of the Catalyst 2948G-L3 does not
support:

Data-plane (security) Access-Control Lists (ACLs) on any
interfaces. User data traffic cannot be restricted with input or output access
lists on the router interfaces—ACLs on the Gigabit Ethernet interfaces
are now supported in release 12.0(10)W5(18e).

Bridging on 802.1q subinterfaces—Bridging on 802.1q
subinterfaces is now supported in release 12.0(10)W5(18e).

AppleTalk routing.

Port snooping, which is also known as SPAN, port mirroring,
promiscuous mode.

Because the Catalyst 2948G-L3 switch does not support bridging on IEEE
802.1q subinterfaces in IOS® release 12.0(7)W5(15d), you cannot bridge a single
IP subnet across VLAN 1 in this example, as on ISL subinterfaces in
Example 2). Therefore, management for the Catalyst
2948G-L3 is through any IP interface on the switch, while management for the
Catalyst 2948G switches is on one of the user VLAN subnets rather than on VLAN
1.

In general, it is not recommended that you put the sc0 management
interface in a user VLAN. However, an exception is made in this example because
the Catalyst 2948G-L3 does not support bridging on 802.1q subinterfaces in the
IOS release used in this example. This exception is also appropriate because
the user subnets are relatively small; each subnet contains no more than 126
host addresses.

The configurations on all devices were cleared with the
clear config all and write
erase commands in order to ensure that there is a default
configuration.

The calendar set command sets the time
and date on the switch's internal calendar chip (this command does not apply to
the Catalyst 2900 XL and Catalyst 3500 XL switches).

The clock set command sets the time and
date for the switch clock.

The hostname command sets the host name
for the switch.

The clock calendar-valid command tells
the switch to set the clock date and time with the date and time stored in the
calendar chip at the next reload (this command does not apply to the Catalyst
2900 XL and Catalyst 3500 XL switches).

The service timestamps log datetime localtime
msec and the service timestamps debug datetime
localtime msec commands aid in management and help you
troubleshoot because these commands timestamp syslog
and debug output with the current date and time (to
the millisecond).

The enable secret
<password> command defines a
password in order to enter privileged mode on the switch. The
enable secret command uses a one-way cryptographic
MD5 hashing function which is encrypted when a show
running-config is used.

The line vty 0 4 command enters into
line configuration mode so you can define a password for incoming Telnet
sessions on the virtual terminal (vty) lines.

The password command defines a password
in order to enter normal mode on the switch through a Telnet session on the vty
lines.

The no logging console command prevents
syslog messages on the terminal console. The command is used in these examples
in order to simplify the screen captures.

On CatOS switches, such as the Catalyst 2948G and the Catalyst 6506,
this basic configuration must be applied to each switch:

Console> (enable) set time 09/01/03 18:00:00
Mon Sep 1 2003, 18:00:00
Console> (enable) set system name 2948G-01
System name set.
2948G-01> (enable) set system location <location>
System location set.
2948G-01> (enable) set system contact sysadmin@corp.com
System contact set.
2948G-01> (enable) set logging console disable
System logging messages will not be sent to the console.
2948G-01> (enable) set password
Enter old password:
Enter new password:
Retype new password:
Password changed.
2948G-01> (enable) set enablepass
Enter old password:
Enter new password:
Retype new password:
Password changed.
2948G-01> (enable)

The set time command sets the date and
time on the switch.

The set system commands specify
information about the switch, such as name, location, and contact.

The set logging console disable command
prevents syslog messages on the terminal console. The command is used in these
examples in order to simplify the screen captures.

The set password command defines a
password for incoming Telnet sessions on the switch.

The set enablepass command defines a
password in order to enter privileged mode on the switch.

In this example, the Catalyst 2948G-L3 is deployed as a second switch
in an existing single-VLAN network. The network already consists of
workstations and a server connected to a Catalyst 3548 XL. The Catalyst
2948G-L3 was purchased in order to allow the company to eventually migrate to a
routed network with multiple VLANs (see Example 2).

This configuration is applied to the switches:

IP addresses are assigned to the switches for management.

The switches are connected with a two-port Gigabit EtherChannel link.

All interfaces on the Catalyst 2948G-L3 are assigned to a single
bridge-group.

End hosts and servers are attached to the Fast Ethernet ports on the
Catalyst 3548 XL and the Catalyst 2948G-L3.

Spanning-tree is disabled on all interfaces of the Catalyst 2948G-L3
with end-stations attached.

Spanning-tree portfast is enabled on all ports of the Catalyst 3548
XL that you plan to connect to an end station..

This output shows how to configure IP addresses on the Catalyst 3548 XL
for management purposes. Later in this example, a Bridge Virtual Interface
(BVI) is configured on the Catalyst 2948G-L3 in order to allow Telnet access.

The logical port-channel interface is assigned to the bridge-group on
the Catalyst 2948G-L3. If you assign the bridge-group to the port-channel
interface, VLAN 1 traffic on the 3548 XL can pass to the 2948G-L3 bridged
interfaces.

Integrated Routing & Bridging (IRB) is enabled and a Bridge
Virtual Interface (BVI) is configured to allow Telnet access to the Catalyst
2948G-L3.

Note: Disabling spanning-tree on a bridged router interface is not the same
as enabling spanning-tree portfast on a switch port. The router does not block
the port if BPDUs are received from a switch or bridge mistakenly connected to
the interface. Be careful to connect only workstations or other end-hosts to
interfaces with spanning tree disabled. Do not disable spanning tree on the
port if you plan to connect a hub or switch to the port.

In this example, the Catalyst 2948G-L3 is deployed as an inter-VLAN
router in a network composed of several other switches, which include a
Catalyst 3548 XL, a Catalyst 3512 XL, and a Catalyst 2924 XL.

The network consists of four VLANs and IP subnets, as well as a fifth
IP subnet used for end-hosts attached to the bridged interfaces on the Catalyst
2948G-L3.

End-stations are attached to the Catalyst 2948G-L3, the Catalyst 3548
XL, and the Catalyst 2924 XL switches. Servers are connected to the Catalyst
3512 XL.

This configuration is applied to the switches:

IP addresses and default gateways are assigned to the switches for
management.

The Catalyst 2948G-L3 and Catalyst 3512 XL switches are connected
with a two-port Gigabit EtherChannel link.

The Catalyst 2948G-L3 and Catalyst 3548 XL switches are connected
with a four-port Fast EtherChannel link.

The Catalyst 2948G-L3 and Catalyst 2924 XL switches are connected
with a single Fast Ethernet link.

All switch-to-switch connections are configured as ISL trunks.

VLAN 1 traffic is bridged throughout the network, so that management
for all switches occurs on a single IP subnet (subnet 10.1.1.0/24).

Interface FastEthernet 1 through 43 on the Catalyst 2948G-L3 are
assigned to a single bridge-group for end-station connections with IP subnet
10.200.200.0/24.

Spanning-tree is disabled on all interfaces of the Catalyst 2948G-L3,
with end-stations attached.

Note: The IP address used for the default gateway is 10.1.1.1. This is the
IP address of the BVI interface that is used as the management VLAN for all
switches (configured later in this example) on the Catalyst 2948G-L3
switch.

This output shows how to configure the two-port Gigabit EtherChannel
link between the Catalyst 2948G-L3 and the Catalyst 3512 XL, and the four-port
Fast EtherChannel link between the Catalyst 2948G-L3 and the Catalyst 3548 XL:

This output shows how to configure the Catalyst 2948G-L3 for bridging.
Interfaces FastEthernet 1 through 43 are assigned to a single bridge-group
(bridge-group 200) and spanning tree is disabled on these interfaces.

Because inter-VLAN routing is required, Integrated Routing &
Bridging (IRB) must be enabled with the bridge irb
command. In addition, in order to route traffic between the bridged interfaces
on the Catalyst 2948G-L3 and the other VLANs in the network, a Bridge Virtual
Interface (BVI) are created.

Finally, a second bridge-group and BVI interface are created for the
management VLAN. In the Configuring the ISL Trunks
Between Switches section, the VLAN 1 subinterfaces are joined to this
bridge-group to create a single Layer 2 domain for switch management.

There are three ISL trunks in this example. Two are configured on
EtherChannels, and one is configured on a single physical interface.

In order to configure trunking on the Catalyst 2948G-L3, subinterfaces
are added under the main interface. One subinterface is added for each VLAN
transmitted on the trunk. In this example, the VLAN 1 subinterfaces are bridged
together in order to form a single Layer 2 domain for switch management. This
is achieved with IP subnet 10.1.1.0/24.

On the XL switches, notice that the configuration is only applied to a
single interface in the channel group. This is because any configuration
applied to one interface in a port group is applied to all the other interfaces
in the port group automatically, and appears in the configuration for each
interface.

In this example, two Catalyst 2948G-L3 switches are deployed in order
to provide distribution-layer inter-VLAN routing and aggregation for multiple
access-layer switches. In addition, the Catalyst 2948G-L3 switches are
connected to two Catalyst 6506 switches in order to provide connectivity to the
network core.

Note: The configuration of the core Catalyst 6506 switches is not fully
discussed in this example. The core switch configurations are discussed only to
the degree necessary for this example.

In this example, traffic is load-shared between the two Catalyst
2948G-L3 switches: half of the traffic passes through Catalyst 2948G-L3-01
while the other half passes through Catalyst 2948G-L3-02.

In the access layer, there are multiple Catalyst 2948G switches with
two Fast EtherChannel links, one to each Catalyst 2948G-L3. There are two user
VLANs configured on each Catalyst 2948G; traffic for one VLAN passes over one
link, traffic for the second VLAN passes over the other link. In the event of a
link failure, all traffic passes over the remaining link.

Note: The 2948G switch, without the "-L3", is a Layer 2 switch that
supports the Catalyst OS command line interface. This switch does not support
the IOS interface supported on the Catalyst 2948G-L3.

End-stations are attached to the Catalyst 2948G switches. Servers and
other shared resources are located in the core of the network.

Note: The network core configuration is not fully discussed here.

This configuration is applied to the switches:

IP addresses and default gateways are assigned to the switches for
management.

Each Catalyst 2948G switch in the access layer has two Fast
EtherChannel links (ports 2/45-46, and ports 2/47-48), one link to each
Catalyst 2948G-L3.

Each Catalyst 2948G-L3 switch has two Gigabit Ethernet links to the
core, one to each of the core Catalyst 6506 switches.

The Catalyst 6506 switches in the core are interconnected by a 4-port
Gigabit EtherChannel link.

The switch-to-switch connections between the Catalyst 2948G switches
and the Catalyst 2948G-L3 switches are configured as IEEE 802.1q trunks.

On the Catalyst 2948G-L3 switches, there are two links to the core
Catalyst 6506 switches; one link goes to 6506-01 on VLAN 10 and the other goes
to 6506-02 on VLAN 15. These VLANs are different from VLANs 10 and 15 in the
access layer because VLANs 10 and 15 in the access layer are terminated at the
Layer 3 interfaces of the Catalyst 2948G-L3 switches.

The switch-to-switch connection between the Catalyst 6506 switches is
configured as an ISL trunk.

Ports on the Catalyst 2948G switches are divided equally between two
VLANs. For example, ports 2/1 through 2/22 on 2948G-01 are assigned to VLAN 10,
and ports 2/23 through 2/44 are assigned to VLAN 15.

Ports of the Catalyst 2948G switches, with end-stations attached, are
configured as host ports. Spanning-tree portfast is enabled, trunking is off,
and channeling is off.

HSRP is configured on the Catalyst 2948G-L3 switches in order to
provide first hop (default gateway) redundancy for the access-layer
end-stations.

EIGRP is configured as the routing protocol on the Catalyst 2948G-L3
switches in order to exchange routing information with routers in the network
core.

On the Catalyst 2948G and Catalyst 6506 switches, an IP address and
VLAN are assigned to the sc0 management interface and an IP default route is
defined.

Because the Catalyst 2948G-L3 switch does not support bridging on IEEE
802.1q subinterfaces, you cannot bridge a single IP subnet across VLAN 1 in
this example as on ISL subinterfaces in Example 2).
Therefore, management for the Catalyst 2948G-L3 is through any IP interface on
the switch, while management for the Catalyst 2948G switches is on one of the
user VLAN subnets rather than on VLAN 1.

In general, it is not recommended to put the sc0 management interface
in a user VLAN. However, an exception is made in this example because the
Catalyst 2948G-L3 does not support bridging on 802.1q subinterfaces, and
because the user subnets are relatively small. There are no more than 126 host
addresses per subnet.

On the Catalyst 6506 switches in the core, the sc0 interface is
assigned to VLAN 1. The default gateway is the IP address of a router interface
in the core. The router interface is not discussed in this example.

Note: The system returns an error when you assign the sc0 interface to a
VLAN that has not been configured yet. This VLAN is associated with the sc0
interface, but is not be added to the switch. This is done later, when the
VLANs are defined on the access layer switches.

You can verify the configuration with the show
interface and show ip route
commands:

In this example, the access-layer Catalyst 2948G switches are
configured in VTP transparent mode because a VTP domain cannot be extended
across the Catalyst 2948G-L3 switches. Two VLANs are configured on each
access-layer switch.

The Catalyst 6506 switches in the core are configured as VTP servers in
a VTP domain shared with the rest of the core switches (not discussed in this
example). Traffic from the Catalyst 2948G-L3 switches in the distribution layer
is carried into the core on VLAN 10, for even VLANs, and VLAN 15, for odd
VLANs.

VLANs 10 and 15 only need to be added onto one Catalyst 6506 switch
because both of them are in the same VTP domain and are interconnected by a
trunk link. VTP advertises the new VLAN configuration to the other switches in
the same VTP domain.

This output shows how to configure the Fast EtherChannel links between
the access-layer Catalyst 2948G switches and the Catalyst 2948G-L3 switches,
and the Gigabit EtherChannel between the core Catalyst 6506 switches.

In this example, the trunks from the Catalyst 2948G switches to the
Catalyst 2948G-L3 switches use IEEE 802.1q encapsulation. The trunk between the
core Catalyst 6506 switches use ISL encapsulation.

Each trunk between the Catalyst 2948G switches and the Catalyst
2948G-L3 switches carries three VLANs: VLAN 1 and the two user VLANs on each
switch. The native VLAN is 1. Notice that no IP addresses are assigned to the
VLAN 1 subinterfaces because these subinterfaces are not being used in order to
route user traffic. However, protocols such as VTP and CDP are passed on VLAN
1.

In order to configure trunking on the Catalyst 2948G-L3, subinterfaces
must be added under the main port-channel interface; one subinterface is added
for each VLAN transmitted on the trunk. An IP address is assigned to each
subinterface, and HSRP is configured between the two Catalyst 2948G-L3 switches
in order to provide first-hop (default gateway) redundancy for the
end-stations.

On Catalyst 2948G-L3-01, the subinterfaces for odd VLANs, 15, 25, 35,
and so on, are the HSRP active interfaces. On Catalyst 2948G-L3-02, the
subinterfaces for even VLANs, 10, 20, 30, and so on, are the HSRP active
interfaces. In the event that the primary link goes down, the standby HSRP
interface becomes the active and continues to function as the default gateway
for end-stations in the VLAN.

In addition, the Catalyst 2948G-L3 switches use the HSRP tracking
feature in order to favor one HSRP interface over another based on whether the
Gigabit Ethernet links into the network core are up or down.

It is important to understand that every VLAN in the access-layer is
terminated at the Catalyst 2948G-L3 routed interfaces.

In addition to the trunks to the access-layer switches, each Catalyst
2948G-L3 switch has two ports that connect into the network core: one in VLAN
10 and the other in VLAN 15.

Catalyst 2948G-L3-01 uses the VLAN 15 link as the primary link and
performs the routing for the odd VLANs, 15, 25, 35, and so on. Catalyst
2948G-L3-02 uses the VLAN 10 link as the primary link and performs the routing
for the even VLANs, 10, 20, 30, so on. In the event of a link failure, the
backup link into the core is used. EIGRP routing, which is configured
later in this example, is used in order to
determine on which link traffic is forwarded.

The encapsulation dot1q 1 native command
configures the 802.1q VLAN encapsulation for the current subinterface and
defines it as the native VLAN for the trunk.

The other encapsulation dot1q commands
configure the 802.1q VLAN encapsulation for each
subinterface.

The ip address command defines the IP
address and subnet mask for each subinterface.

The standby commands define the HSRP
configuration for each subinterface, including the HSRP IP address, priority,
authentication string, and interfaces to
track.

You can verify the interface configuration with the show
interface type # command. You can verify
the IP configuration with the show ip interface type
# command. You can verify the HSRP configuration with
the show standby command.

Note: The nonegotiate keyword must be used when you
configure a trunk to the Catalyst 2948G-L3, or any router, because the Catalyst
2948G-L3 does not support the dynamic negotiation of trunk links with
DTP.

In this example, EIGRP is configured to exchange routing information
with other routers in the network core. The configuration of the core devices
is not considered in this example.

The IP addressing scheme in this example was chosen so that all of the
access-layer VLANs can be summarized to the core routers in a single
advertisement of the 10.10.0.0/16 subnet. This drastically reduces the number
of routing table entries and EIGRP topology table entries that the core routers
must manage.

In addition, if Internet connectivity is required, network address
translation (NAT) must be used in order to translate the 10.0.0.0/8 addresses
to a valid IP address range. NAT configuration is not considered in this
example.

Ports on the access-layer Catalyst 2948G switches are assigned to VLANs
and are configured as host ports with the set port
host command. This command enables spanning-tree portfast and
turns off trunking and channeling on the ports.

Make sure you save the running configuration to NVRAM (startup
configuration) on the Catalyst 2948G-L3 switches so that the configuration is
retained if the switch is reloaded. On the CatOS switches, Catalyst 2948G and
Catalyst 6506 switches, this step is not necessary because the changes to the
configuration are saved in NVRAM immediately after you enter each command.